CCI-003281
CCI-003281 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if: - the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process. - the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; supply chain risk management plan; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; threat modeling and vulnerability analyses from similar systems, system components, or system services; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with supply chain risk management responsibilities].